A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

Summary

This update introduces a new registry entry CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path.

The update allows the administrator to define the following on a system-wide or a per-application basis:

Remove the current working directory from the library search path.

Prevent an application from loading a library from a WebDAV location.

Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location.

Note The CWDIllegalInDllSearch registry setting is available in Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016 without having to install an additional package. You do not have to install update 2264107 to use this registry setting.

More Information

ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

How the CWDIllegalInDllSearch registry entry works

When an application dynamically loads a DLL without specifying a fully qualified path, Windows tries to locate this DLL by searching through a well-defined set of directories. These sets of directories are known as DLL search path. As soon as Windows locates the DLL in a directory, Windows loads that DLL. If Windows does not find the DLL in any of the directories in the DLL search order, Windows will return a failure to the DLL load operation.

The LoadLibrary function and the LoadLibraryEx function are used to dynamically load DLLs. The following is the DLL search order for these two functions:

The directory from which the application loaded

The system directory

The 16-bit system directory

The Windows directory

The current working directory (CWD)

The directories that are listed in the PATH environment variable

The newly introduced CWDIllegalInDllSearch registry entry enables computer administrators to modify the behavior of the DLL search path algorithm that is used by LoadLibrary and by LoadLibraryEx. This registry entry could allow certain kinds of directories to be skipped.

The CWDIllegalInDllSearch registry entry can be added in the following path:

The per-application registry entry always overrides the system-wide setting. This allows the system-wide setting to be set restrictively. An application-setting can then be set for any applications that do not work correctly with the system-wide setting.

For example, an administrator could block a DLL from being loaded both from WebDAV and SMB by setting the system-wide setting to 2, and could then change the behavior for a particular application that requires this behavior, by setting the Image File Execution Option to 0 or 1.

The value of the CWDIllegalInDllSearch registry entry modifies the behavior of LoadLibrary and of LoadLibraryEx as follows.

Scenario 1: The application is started from a local folder, such as C:\Program Files

CWDIllegalInDllSearch Value

Behavior of the DLL search path in LoadLibrary and in LoadLibraryEx

0xFFFFFFFF

Removes the current working directory from the default DLL search order

0

Uses the default DLL search path that was mentioned earlier

1

Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV folder

2

Blocks a DLL Load from the current working directory if the current working directory is set to a remote folder (such as a WebDAV or UNC location)

No key or other values

Uses the default DLL search path that was mentioned earlier

Scenario 2: The application is started from a remote folder, such as \\remote\shareremote\share)

CWDIllegalInDllSearch Value

Behavior of the DLL search path in LoadLibrary and in LoadLibraryEx

0xFFFFFFFF

Removes the current working directory from the default DLL search order

0

Uses the default DLL search path that was mentioned earlier

1

Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV folder

2

Allows DLL Load from the current working directory if the current working directory is set to a remote folder (such as a WebDAV or UNC location).

No key or other values

Uses the default DLL search path that was mentioned earlier

Scenario 3: The application is started from a WebDav folder, such as http://remote/share)

CWDIllegalInDllSearch Value

Behavior of the DLL search path in LoadLibrary and in LoadLibraryEx

0xFFFFFFFF

Removes the current working directory from the default DLL search order

No key or other values

Uses the default DLL search path that was mentioned earlier

Examples

Example 1: How to disable loading DLLs from a WebDAV share for all applications that are installed on your local computer

Log on to your computer as an administrator.

Open Registry Editor.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

Right-click Session Manager, point to New, and then click Dword Value.

Type CWDIllegalInDllSearch, and then click Modify.

In the Value data box, type 1, and then click OK.

Example 2: How to disable loading DLLs from a WebDAV share for only a specific application that is installed on the local computer

If a key with the application binary name does not exist, then you will have to create one.

Right-click <application binary name>, point to New, and then click Dword Value.

Type CWDIllegalInDllSearch,and then click Modify.

In the Value data box, type 2, and then click OK.

Fix it for me

The fix it solution described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this fix it solution as a workaround option for customers to protect their systems while a security update is not available or cannot be installed.

This fix it solution will only deploy the registry entry that is needed to block nonsecure DLL loads from WebDAV and SMB locations.

Note Before you run the fix it solution, you must first download and then install update 2264107, which is described later in this article. By default, protection is disabled when you install update 2264107. Then, the protection can be configured manually as described in this article, or you can run the fix it. When you run the fix it, protection is enabled to protect against remote, nonsecure DLL loads.

To manually undo the setting changed by the fix it solution, you can reset the value of the following CWDIllegalInDLLSearch registry entry to 0 (zero):HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDLLSearchA setting of 0 will undo the changes that are made by the fix it solution.

To automatically enable or disable this fixit solution, click the Fix it button or link under the Enable this fix it heading or under the Disable this fix it heading. Click Run in the File Downloaddialog box, and then follow the steps in the Fix it wizard.

Enable this fix it

Disable this fix it

Notes

This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

If you are not on the computer that has the problem, save the fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Update Information

The following files are available for download from the Microsoft Download Center:

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows XP and Windows Server 2003 file information

The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the "SP requirement" and "Service branch" columns.

GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.

In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For all supported x86-based versions of Windows XP

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Mrxdav.sys

5.1.2600.6007

179,712

30-Jun-2010

13:16

x86

SP3

SP3GDR

Ntdll.dll

5.1.2600.6007

715,776

30-Jun-2010

14:56

x86

SP3

SP3GDR

Mrxdav.sys

5.1.2600.6007

180,096

30-Jun-2010

13:34

x86

SP3

SP3QFE

Ntdll.dll

5.1.2600.6007

715,776

30-Jun-2010

14:54

x86

SP3

SP3QFE

For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Mrxdav.sys

5.2.3790.4737

273,408

03-Jul-2010

08:24

x64

SP2

SP2GDR

Ntdll.dll

5.2.3790.4737

1,261,568

03-Jul-2010

08:24

x64

SP2

SP2GDR

Wntdll.dll

5.2.3790.4737

775,680

03-Jul-2010

08:24

x86

SP2

SP2GDR\WOW

Mrxdav.sys

5.2.3790.4737

273,408

03-Jul-2010

08:21

x64

SP2

SP2QFE

Ntdll.dll

5.2.3790.4737

1,262,080

03-Jul-2010

08:21

x64

SP2

SP2QFE

Wntdll.dll

5.2.3790.4737

775,680

03-Jul-2010

08:21

x86

SP2

SP2QFE\WOW

For all supported x86-based versions of Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Mrxdav.sys

5.2.3790.4737

188,928

30-Jun-2010

13:28

x86

SP2

SP2GDR

Ntdll.dll

5.2.3790.4737

774,656

30-Jun-2010

16:17

x86

SP2

SP2GDR

Mrxdav.sys

5.2.3790.4737

188,928

30-Jun-2010

13:34

x86

SP2

SP2QFE

Ntdll.dll

5.2.3790.4737

774,656

30-Jun-2010

16:35

x86

SP2

SP2QFE

For all supported IA-64-based versions of Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Mrxdav.sys

5.2.3790.4737

552,448

05-Jul-2010

17:05

IA-64

SP2

SP2GDR

Ntdll.dll

5.2.3790.4737

1,648,128

05-Jul-2010

17:05

IA-64

SP2

SP2GDR

Wntdll.dll

5.2.3790.4737

775,680

05-Jul-2010

17:05

x86

SP2

SP2GDR\WOW

Mrxdav.sys

5.2.3790.4737

553,472

05-Jul-2010

17:02

IA-64

SP2

SP2QFE

Ntdll.dll

5.2.3790.4737

1,648,640

05-Jul-2010

17:02

IA-64

SP2

SP2QFE

Ntkrnlmp.exe

5.2.3790.4666

6,582,272

05-Jul-2010

17:02

IA-64

SP2

SP2QFE

Wntdll.dll

5.2.3790.4737

775,680

05-Jul-2010

17:02

x86

SP2

SP2QFE\WOW

Windows Vista and Windows Server 2008 file information

The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

Version

Product

Milestone

Service branch

6.0.6000. 16xxx

Windows Vista

RTM

GDR

6.0.6000. 20xxx

Windows Vista

RTM

LDR

6.0.6001. 18xxx

Windows Vista SP1 and Windows Server 2008 SP1

SP1

GDR

6.0.6001. 22xxx

Windows Vista SP1 and Windows Server 2008 SP1

SP1

LDR

6.0.6002. 18xxx

Windows Vista SP2 and Windows Server 2008 SP2

SP2

GDR

6.0.6002. 22xxx

Windows Vista SP2 and Windows Server 2008 SP2

SP2

LDR

Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000. xxxxxx version number.

GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Vista and Windows Server 2008

File name

File version

File size

Date

Time

Platform

Ntdll.dll

6.0.6001.18499

1,203,032

30-Jun-2010

22:28

x86

Ntdll.dll

6.0.6001.22721

1,203,032

30-Jun-2010

22:28

x86

Ntdll.dll

6.0.6002.18279

1,203,032

30-Jun-2010

22:28

x86

Ntdll.dll

6.0.6002.22435

1,203,544

30-Jun-2010

22:28

x86

For all supported x64-based versions of Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2 file information

The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

Version

Product

Milestone

Service branch

6.1.7600. 16xxx

Windows 7 and Windows Server 2008 R2

RTM

GDR

6.1.7600. 20xxx

Windows 7 and Windows Server 2008 R2

RTM

LDR

GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 7 and Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows 7

File name

File version

File size

Date

Time

Platform

Ntdll.dll

6.1.7600.16625

1,286,960

30-Jun-2010

06:27

x86

Ntdll.dll

6.1.7600.20745

1,286,952

30-Jun-2010

06:20

x86

For all supported x64-based versions of Windows 7 and Windows Server 2008 R2